| Author |
Message |
Ilia Adham
Guest
|
 Posted:
Fri Jan 21, 2005 9:45 pm Post subject:
How to get rid of this ( SBS 2000 ) |
|
|
Hello everyone,
We have a SBS 2000 with exchange and host the mail server locally behind a
firewall.
Recently we have been getting mail infected with a virus called
W32/SDBot.BAY. The first part of the sender's email is made up of random
letters and the domain is consistent. Some thing like ABDF@cnn.com or
GKYER@cnn.com. We are using GFI mail security and those emails are stopped
and quarantined before they get to the end user. We had found what IP
address those emails were coming through and send a message to the
abuse.rr.com and ask for a fix. Maybe they fixed it but now the IP source
has changed and belongs to the same IP provider.The other day I noticed that
within the console of the SBS under SMTP virtual server on the current
sessions there was a user (127.0.01) from (24.31.147.142)
http://pcnservices.com/sbs/sbs2000.bmp. I checked some of the quarantined
emails and found out that those emails were coming from this IP
24.31.147.142.
Are we in big trouble here? Any suggestions would be very appreciated.
Thanks in advance.
.....ilia
|
|
| Back to top |
|
 |
Rich Matheisen [MVP]
Guest
|
| Posted:
Sat Jan 22, 2005 8:10 am Post subject:
Re: How to get rid of this ( SBS 2000 ) |
|
|
"Ilia Adham" <nospam@maine.rr.com> wrote:
| Quote: | Hello everyone,
We have a SBS 2000 with exchange and host the mail server locally behind a
firewall.
Recently we have been getting mail infected with a virus called
W32/SDBot.BAY. The first part of the sender's email is made up of random
letters and the domain is consistent. Some thing like ABDF@cnn.com or
GKYER@cnn.com. We are using GFI mail security and those emails are stopped
and quarantined before they get to the end user. We had found what IP
address those emails were coming through and send a message to the
abuse.rr.com and ask for a fix. Maybe they fixed it but now the IP source
has changed and belongs to the same IP provider.The other day I noticed that
within the console of the SBS under SMTP virtual server on the current
sessions there was a user (127.0.01) from (24.31.147.142)
http://pcnservices.com/sbs/sbs2000.bmp. I checked some of the quarantined
emails and found out that those emails were coming from this IP
24.31.147.142.
Are we in big trouble here?
|
Not if you drop the infected mail.
| Quote: | Any suggestions would be very appreciated.
|
Don't qurantine 'em. Nuke 'em.
--
Rich Matheisen
MCSE+I, Exchange MVP
MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm |
|
| Back to top |
|
|
Ilia Adham
Guest
|
| Posted:
Sat Jan 22, 2005 7:28 pm Post subject:
Re: How to get rid of this ( SBS 2000 ) |
|
|
Thanks Rich.
How about what I see under SMTP virtual server on the current sessions where
the IP of the sending machine appears? Here is what I see
http://pcnservices.com/sbs/sbs2000.bmp
Thanks,
....ilia
http://www.pcnservices.com (207) 318-2381
"Rich Matheisen [MVP]" <richnews@rmcons.com.NOSPAM.COM> wrote in message
news:t3h3v05130fdl0fui0cjatfq00esb30sjg@4ax.com...
| Quote: | "Ilia Adham" <nospam@maine.rr.com> wrote:
Hello everyone,
We have a SBS 2000 with exchange and host the mail server locally behind a
firewall.
Recently we have been getting mail infected with a virus called
W32/SDBot.BAY. The first part of the sender's email is made up of random
letters and the domain is consistent. Some thing like ABDF@cnn.com or
GKYER@cnn.com. We are using GFI mail security and those emails are stopped
and quarantined before they get to the end user. We had found what IP
address those emails were coming through and send a message to the
abuse.rr.com and ask for a fix. Maybe they fixed it but now the IP source
has changed and belongs to the same IP provider.The other day I noticed
that
within the console of the SBS under SMTP virtual server on the current
sessions there was a user (127.0.01) from (24.31.147.142)
http://pcnservices.com/sbs/sbs2000.bmp. I checked some of the quarantined
emails and found out that those emails were coming from this IP
24.31.147.142.
Are we in big trouble here?
Not if you drop the infected mail.
Any suggestions would be very appreciated.
Don't qurantine 'em. Nuke 'em.
--
Rich Matheisen
MCSE+I, Exchange MVP
MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm |
|
|
| Back to top |
|
|
Rich Matheisen [MVP]
Guest
|
| Posted:
Sun Jan 23, 2005 4:34 am Post subject:
Re: How to get rid of this ( SBS 2000 ) |
|
|
"Ilia Adham" <nospam@maine.rr.com> wrote:
| Quote: | Thanks Rich.
How about what I see under SMTP virtual server on the current sessions where
the IP of the sending machine appears? Here is what I see
http://pcnservices.com/sbs/sbs2000.bmp
|
You can block IP addresses, networks, SMTP addreses, domains, etc.
from the SMTP Virtual Server property pages.
Blocking a single IP address is usually ineffective in the long run
because the spammers that use large commercial ISPs take advantage of
free (read: disposable) accounts and they'll just move to another IP.
If IP address blocking is all you're after then couple that with a
product that uses DNS RBL's (not the greatest way to goa bout this,
but for small shops it's effective).
--
Rich Matheisen
MCSE+I, Exchange MVP
MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm |
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in